CVE-2026-43261 Overview
CVE-2026-43261 affects the Linux kernel running on arm64 systems with the HiSilicon TSV110 processor. The TSV110 core is susceptible to the Spectre-BHB (Branch History Buffer) attack, a transient-execution side channel that allows attackers to leak privileged memory contents via branch prediction. Before this fix, the kernel did not include the TSV110 MIDR (Main ID Register) in its Spectre-BHB software mitigation list, leaving affected systems unprotected. The patch adds TSV110 to the list of cores requiring software mitigation, ensuring the kernel applies the appropriate workaround at runtime.
Critical Impact
Local attackers running unprivileged code on TSV110-based arm64 systems can leverage branch history buffer mispredictions to leak kernel memory across privilege boundaries.
Affected Products
- Linux kernel builds for arm64 running on HiSilicon TSV110 cores
- Stable kernel branches prior to the commits referenced below
- Distributions shipping unpatched mainline or stable kernels on TSV110 hardware
Discovery Timeline
- 2026-05-06 - CVE-2026-43261 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43261
Vulnerability Analysis
Spectre-BHB is a variant of Spectre-v2 that abuses the shared Branch History Buffer in arm64 cores. An attacker primes the BHB with controlled branch patterns, then triggers a transition into a higher-privilege context such as a kernel syscall or hypervisor entry. The mistrained predictor causes speculative execution of attacker-influenced gadgets in privileged code, leaving cache-resident traces of secret data.
The Linux kernel maintains a per-core list of MIDRs that require software mitigation, typically a loop that overwrites the BHB on exception entry. The TSV110 core was missing from this list. As a result, the kernel skipped applying the BHB-clearing sequence on TSV110 systems, leaving syscall and exception entry paths exposed to BHB poisoning.
Root Cause
The root cause is an incomplete CPU enumeration in the arm64 Spectre-BHB mitigation logic [CWE-1037: Processor Optimization Removal or Modification of Security-critical Code]. The TSV110 MIDR was not registered in the software mitigation match table, so the runtime patcher never installed the BHB-clearing trampoline on entry vectors for that core.
Attack Vector
Exploitation requires local code execution on a TSV110-based system. An unprivileged process trains the BHB with attacker-chosen branch histories, issues a syscall or other exception, and then measures cache state to recover speculatively leaked bytes. No special privileges, network access, or user interaction is required beyond the ability to run code. The attack is a side-channel disclosure rather than direct code execution.
No public proof-of-concept code is available for the TSV110-specific path. Spectre-BHB has been demonstrated by academic researchers on other arm64 cores using similar branch-priming techniques. Refer to the upstream patch in Linux Kernel Commit 598c11d for the exact MIDR addition and mitigation wiring.
Detection Methods for CVE-2026-43261
Indicators of Compromise
- No reliable host-based IOCs exist for Spectre-BHB exploitation, since the attack leaves no persistent artifacts on disk or in process memory.
- Unexpected long-running unprivileged processes performing tight branch loops combined with cache timing measurements may indicate side-channel probing.
- Kernel boot logs on TSV110 hardware that do not report spectre-bhb: mitigation: software sequence indicate the host is unpatched.
Detection Strategies
- Inventory arm64 hosts and identify those running on HiSilicon TSV110 cores by inspecting /proc/cpuinfo and the MIDR register.
- Query /sys/devices/system/cpu/vulnerabilities/spectre_v2 to confirm whether BHB mitigation is active after patching.
- Compare running kernel versions against the fixed commits listed in the upstream stable tree references.
Monitoring Recommendations
- Monitor for unprivileged workloads performing high-frequency syscalls paired with perf-style cache timing primitives.
- Track kernel package versions across the fleet and alert on TSV110 hosts running pre-patch kernels.
- Forward kernel boot messages to a central log store and search for absence of Spectre-BHB mitigation strings on TSV110 systems.
How to Mitigate CVE-2026-43261
Immediate Actions Required
- Identify all arm64 hosts using HiSilicon TSV110 cores and prioritize them for kernel updates.
- Apply the upstream stable kernel update that includes the TSV110 MIDR addition to the Spectre-BHB mitigation list.
- Restrict the ability of untrusted users to execute arbitrary native code on affected hosts until patches are deployed.
Patch Information
The fix has been merged to multiple stable Linux kernel branches. Apply the kernel build from your distribution that includes one of the following commits: 598c11dd, 5dbe1f14, a8d0ad5d, ad0c356c, cccf96c4, e3baa5d4, fd51d47f, or fd7e3608. After patching, the kernel registers the TSV110 MIDR and installs the BHB-clearing sequence on exception entry.
Workarounds
- Limit local code execution on TSV110 hosts by enforcing strict allowlisting of binaries and disabling untrusted container or multi-tenant workloads.
- Disable simultaneous multitenancy on shared TSV110 hardware where untrusted users can run native code alongside sensitive workloads.
- Where feasible, migrate sensitive workloads to arm64 cores that already include Spectre-BHB mitigations or to architectures unaffected by the TSV110 enumeration gap.
# Verify Spectre-BHB mitigation status after patching
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
# Confirm the running CPU implementer/part is TSV110
grep -E 'CPU implementer|CPU part' /proc/cpuinfo
# Check the running kernel version against fixed stable releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
